B ATT L E -TE S T E D I ND U S T R I A L CY BER SECUR I T Y

SOLUTION BRIEF

THE CYBERX PLATFORM: HIGHLIGHTS

PROTECT YOUR PEOPLE, • Address All 4 points of

Gartner’s Adaptive Security
PRODUCTION, AND PROFITS Architecture: Detect,
Respond, Predict, Prevent

• Rapid, Non-Intrusive
Deployment
The Industrial Internet of Things (IIOT) is unlocking new levels of productivity, helping • “Passive Monitoring” to
organizations improve safety, increase output, and maximize revenue. At the same Establish Asset Inventory
time, digitalization is driving deployment of billions of IIoT devices and increased
connectivity between IT and Operational Technology (OT) networks, increasing the • Optional “Selective Probing”
or “Active” Asset Discovery
attack surface and risk of cyberattacks on industrial control systems.

The CyberX platform is the simplest, most mature, and most interoperable solution for • Expert ICS Threat
Intelligence
auto-discovering tassets, identifying critical vulnerabilities and attack vectors, and
continuously monitoring ICS networks for malware and targeted attacks. What’s more, • Streamlined Incident
CyberX provides seamless integration with existing SOC workflows for unified IT/OT Response, Threat Hunting &
security governance. Forensics

• Network Topology Mapping

• Non-Invasive ICS Risk &

Vulnerability Assessments

• Centralized Management

• Automated Threat Modeling

for ICS

• ICS Malware Sandbox

• High Availability

Example of a real-time alert including detailed contextual information to enable incident response.

www.cyberx-labs.com 1
SOLUTION BRIEF: CyberX Platform

“The risk to OT networks is real–and

it’s dangerous and perhaps even
negligent for business leaders to
ignore it.”
Michael Assante, SANS Director of Critical Infrastructure & ICS/SCADA Security

How are you addressing risk from modern ICS threats like
Industroyer and TRITON?
Recent campaigns clearly demonstrate that perimeter Business leaders are justifiably concerned about modern
firewalls and conventional ICS/SCADA defenses — ICS threats, which can result in costly production outages,
including outdated notions like “air-gapping” and “security catastrophic safety and environmental failures, and theft
by obscurity” — are no longer sufficient to protect OT of corporate trade secrets.
networks from today’s targeted attacks, sophisticated
malware, and insider threats.

A NEW APPROACH IS REQUIRED WHY CYBERX

The new approach must be:
• Continuous and real-time — to immediately
alert on unusual activity with minimal false
positives.
CyberX provides the most widely-deployed industrial
cybersecurity platform for continuously reducing ICS
risk. To date, the company has assessed more than 1200
production ICS networks worldwide, across all sectors.

• Passive and non-intrusive — with zero impact
on OT networks and devices.
• Heterogeneous and vendor-agnostic — with
broad support for specialized ICS protocols and
control system equipment from all ICS vendors
(Rockwell Automation, Schneider Electric,
Siemens, Yokogawa, etc.).
• Integrated with existing SOC workflows and
security tools — including centralized SIEMS,
firewalls, IDS/IPS, and security analytics
technologies.
The CyberX platform delivers continuous ICS threat
monitoring and asset discovery, combining a deep
embedded understanding of industrial protocols,
devices, and applications with ICS-specific behavioral
anomaly detection, threat intelligence, risk analytics, and
automated threat modeling.
The fact is, CyberX is the only company that addresses
all four requirements of Gartner’s Adaptive Security
Architecture — with a practical, appliance-based system
that can be deployed in less than an hour.

www.cyberx-labs.com 2
SOLUTION BRIEF: CyberX Platform

“Advanced targeted attacks are easily bypassing traditional firewalls and signature-based
prevention mechanisms. The enterprise must assume that it is already compromised, so detection
capabilities are critical. The need for continuous and pervasive monitoring and increasingly
advanced analytics is driving advanced detection technologies.”

SOURCE: Smarter with Gartner, “Build Adaptive Security Architecture Into Your Organization,” June 30, 2017, Rob van der Meulen

DETECT
• Continuous monitoring
• Behavioral analytics with self-learning
• Proprietary ICS-specific algorithms to detect
anomalies faster, with fewer false positives
RESPOND
• Deep incident forensics, investigation & threat
hunting capabilities
• Full-fidelity PCAPs for drill-down analysis
• SIEM integration including richer information-
sharing via IBM QRadar App and Splunk
PREDICT
• Automated threat modeling to predict most likely
paths of attack vector chains
• Baselining behaviors & configurations
• Proprietary ICS-specific threat intelligence (zero-
days, malware, adversaries, etc.)
PREVENT
• Proprietary ICS-specific risk & vulnerability
assessments including asset discovery
• Proactive, risk-based prioritization of mitigation
actions for hardening critical “crown jewel” assets
• Integration with leading prevention technologies
including firewalls, unidirectional gateways, and
secure remote access (privileged account security)
solutions

www.cyberx-labs.com 3
SOLUTION BRIEF: CyberX Platform

CyberX Platform Architecture

CYBERX CENTRAL MANAGER

CAPABILITIES & USE CASES

SIEMs
ICS Risk &
Vulnerability ICS Threat ICS Incident Ticketing & Orchestration
ICS Asset SOC Integration &
Management Management with Monitoring & Response & Firewalls & Gateways
Threat Hunting REST APIs
Threat Modeling Detection Secure Remote Access

SELF-LEARNING ANALYTICS ENGINES

Behavioral
Anomaly Detection

Protocol
Violation Detection

Network Traffic IT & OT Data Mining

Analysis (NTA) Malware Detection Infrastructure

Unusual M2M
Communication Detection

Operational
Incident Detection

CORE CAPABILITIES

Embedded Knowledge Proprietary ICS Threat ICS Malware

IP Network & Serial
of ICS Devices Intelligence & Analysis Sandbox
Device Dissectors
& Protocols Vulnerability Research

The CyberX platform provides “singe pane of glass visibility” into a variety of use cases such as ICS incident response, self-learning analytics engines
such as behavioral anomaly detection, and core capabilities such as threat intelligence.

RAPID NON-INTRUSIVE DEPLOYMENT

The CyberX appliance connects to a SPAN port or network TAP and immediately begins collecting ICS network traffic via
passive (agentless) monitoring. It has zero impact on OT networks since it isn’t placed in the data path and doesn’t actively
scan OT devices.

CENTRAL MANAGEMENT

CyberX’s Central Manager provides a consolidated view of all your assets, so you can quickly identify where assets are
located based on customizable filters such as type (PLC, RTU, DCS, etc.), manufacturer, model, and firmware revision level.

www.cyberx-labs.com 4
SOLUTION BRIEF: CyberX Platform

Central Manager also delivers a real-time view of key OT risk indicators and alerts across all your facilities — tightly integrated
with your SOC workflows and runbooks—to enable easy prioritization of mitigation activities and cross-site correlation of threats.

Finally, Central Manager provides centralized deployment of software, threat intelligence, and configuration updates across
all CyberX appliances in your organization.

GLOBAL COMMAND-AND-CONTROL

CyberX Global
ICS Threat
Intelligence Corporate SOC

SIEMs

Global Central Manager

Ticketing
& Orchestration

Secure
Remote Access

Firewalls
REGIONAL & Gateways
COMMAND-AND-CONTROL
(Country/Business Unit)
CyberX ICS
Malware Analysis
Sandbox
Central Manager Central Manager

LOCAL
COMMAND-AND-CONTROL
(Plant/Substation)

CyberX provides a multi-tier architecture with centralized management that delivers scalability, visibility, and control across geographically-distributed
sites, as well as integration with SOC security stacks including SIEMs, ticketing and orchestration, next-generation firewalls, secure remote access
latforms, and even the CyberX ICS Malware Sandbox.

REAL-TIME ANOMALY DETECTION OF ICS THREATS

The CyberX platform identifies anomalies via continuous equipment failure; and unusual machine-to-machine (M2M)
monitoring and five different analytics engines that communications and behaviors.
incorporate self-learning to eliminate the need for
By modeling ICS networks as deterministic sequences of
updating signatures or defining rules. The engines leverage
states and transitions — using a patent-pending technique
ICS-specific behavioral analytics and data science to
called Industrial Finite State Modeling (IFSM) — as well
continuously analyze OT network traffic for anomalies
as embedding deep knowledge about ICS protocols and
including: the use of packet structures and field values that
applications, the CyberX platform requires a shorter
violate ICS protocol specifications; behaviors indicating the
learning period than generic mathematical approaches or
presence of known malware such as WannaCry/NotPetya;
analytics originally developed for IT rather than OT. It also
policy violations; operational issues such as early signs of
detects anomalies faster, with minimal false positives.

www.cyberx-labs.com 5
SOLUTION BRIEF: CyberX Platform
EXPERT ICS THREAT INTELLIGENCE
CyberX’s in-house team of threat analysts are world-
class domain experts that track ICS-specific zero-days,
campaigns, and adversaries as well as reverse-engineer
malware. This intelligence enriches our platform analytics
and also supports our managed services for incident
response and breach investigation.
CyberX provides a timeline that makes correlation of events and alerts easier
www.cyberx-labs.com
STREAMLINED INCIDENT RESPONSE,
THREAT HUNTING & FORENSICS
The platform provides an intuitive data mining interface for
granular searching of historical traffic across all relevant
dimensions (e.g., time period, IP or MAC address, ports, plus
protocol-specific queries based on function codes, protocol
services, modules, etc.). Full-fidelity PCAPs are also provided
for further drill-down analysis. The platform integrates out-of-
the-box with all SIEMs and offers SIEM-specific modules such
as the IBM QRadar and the Splunk Apps. The platform also
integrates with leading firewall providers such as Palo Alto
Networks and orchestration platforms such as ServiceNow.
These integrations enable more efficient communication and
collaboration between IT and OT teams.
6
SOLUTION BRIEF: CyberX Platform

COMPREHENSIVE ICS ASSET DISCOVERY & NETWORK TOPOLOGY MAPPING

Gaining visibility into all installed ICS assets and how they’re connected is often the first step in strengthening ICS security.
CyberX displays the network based on the Purdue Model, and provides detailed information about devices including name
and type (Historian, PLC, DCS, etc.), IP/MAC, manufacturer, protocols used, serial number, firmware revision level, etc.

CyberX auto-discovers all assets and generates a network topology diagram based on the Purdue Model

www.cyberx-labs.com 7
SOLUTION BRIEF: CyberX Platform

The CyberX platform combines passive monitoring and optional selective probing (or “active scanning”) techniques to provide
this information. CyberX’s passive monitoring technology has been widely deployed because it is non-invasive and has zero
impact on production networks. It works by collecting a copy of the traffic from the SPAN port of a network switch or via a
network tap, using proprietary Network Traffic Analysis (NTA) to provide valuable and comprehensive information about your
asset inventory.

Passive monitoring uses SPAN ports or network taps to analyze traffic with zero impact on production networks

Optional selective probing consists of software modules
that query Windows and embedded devices like PLCs for
specific asset details (such as firmware or Service Pack
revision levels) — using safe, vendor-approved commands,
scheduled to run as often or as infrequently as desired
(typically once per day). The resulting asset information
is displayed in our standard console, in the standard asset
inventory screens. For example, selective probing provides
an immediate snapshot of device details such as OS and
firmware revision levels.

www.cyberx-labs.com 8
SOLUTION BRIEF: CyberX Platform
NON-INVASIVE ICS RISK &
VULNERABILITY ASSESSMENTS
Unique in the industry, CyberX uses proprietary Network
Traffic Analysis (NTA) algorithms to passively identify all
network and endpoint vulnerabilities such as unauthorized
remote access connections, rogue or undocumented
devices, weak authentication, vulnerable devices (based
on unpatched CVEs), unauthorized bridges between
subnets, and weak firewall rules. The platform generates a
comprehensive report including an objective risk score for
the entire ICS network, as well as risk-prioritized mitigation
recommendations for strengthening your ICS risk posture.
CyberX’s comprehensive risk & vulnerability assessment report
provides an overall security score with detailed information about
network and endpoint vulnerabilities discovered via passive monitoring
and Network Traffic Analysis algorithms. It also includes remediation
recommendations for improving your score over time, prioritized by risk.
Asset discovery includes detailed information about device type,
manufacturer, open ports, and vulnerabilities (CVEs), as well as an
overall security score for the device.
www.cyberx-labs.com
AUTOMATED THREAT MODELING FOR ICS
Exclusive to CyberX, the company’s Automated ICS Threat
Modeling technology applies proprietary algorithms to risk
and vulnerability data in order to predict the most likely
paths of targeted attacks on ICS/SCADA networks. By
generating a visual representation of all possible attack
vector chains — ranked by risk — targeting your most critical
OT assets, it enables you to prioritize essential mitigations
and simulate what-if scenarios to reduce your attack
surface (e.g., “If I isolate or patch this insecure device,
does it eliminate the risk to my ‘crown jewel’ assets?”). This
enables more effective use of limited skilled resources
during narrow maintenance windows.
Unique in the industry, CyberX’s Automated ICS Threat Modeling
incorporates proprietary analytics to continuously predict the most
likely paths of targeted attacks on ICS/SCADA networks.
9
SOLUTION BRIEF: CyberX Platform
ICS MALWARE ANALYSIS SANDBOX
By virtualizing a complete OT environment, CyberX’s ICS
Malware Analysis Sandbox can rapidly and automatically
identify OT-specific malware, pinpoint its IOCs, and
enable threat intelligence sharing across the global ICS
community.
Unique in the industry, CyberX’s ICS Malware Analysis
sandbox is a cloud-based subscription service that
identifies OT-specific malware -- including zero-day
malware -- by executing suspicious files in a virtualized OT
environment
The ICS Malware Analysis Sandbox analyzes suspicious files by executing them in a virtualized OT environment
www.cyberx-labs.com
HIGH AVAILABILITY
An optional high-availability (HA) configuration adds a
backup centralized management console that periodically
receives backups of all configuration files required
for recovery. If the master console fails, the local site
management appliances will automatically switch to
synchronizing with the backup console and continue
without interruption.
In addition, each local appliance can be configured
to perform periodic backups of its complete system
configuration, as well as all event data and the complete
system database. Users can configure the backup to be
stored on any external device on the network
10
ABOUT CYBERX
We know what it takes.
CyberX delivers the only industrial cybersecurity platform built by blue-
team cyber-experts with a proven track record defending critical national
infrastructure. That difference is the foundation for the most widely-deployed
platform for continuously reducing ICS risk and preventing costly production
outages, safety failures, and environmental incidents.

Notable CyberX customers include 2 of the top 5 US energy providers; a top 5

US chemical company; a top 5 global pharmaceutical company; and national
electric and gas utilities across Europe and Asia-Pacific. Strategic partners
include industry leaders such as Palo Alto Networks, IBM Security, Splunk,
Optiv Security, DXC Technologies, and Deutsche-Telekom/T-Systems.

Customers choose CyberX because it’s the simplest, most mature, and most
interoperable solution for auto-discovering their assets, identifying critical
vulnerabilities and attack vectors, and continuously monitoring their ICS
networks for malware and targeted attacks. What’s more, CyberX provides
the most seamless integration with existing SOC workflows for unified IT/OT
security governance.

For more information visit CyberX-Labs.com or follow @CyberX_Labs.